CVE-2025-66027 | THREATINT

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users’ personal information. This issue has been patched in version 4.5.6.

PUBLISHED Reserved 2025-11-21 | Published 2025-11-29 | Updated 2025-12-01 | Assigner GitHub_M

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-284: Improper Access Control

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Product status

< 4.5.6

affected

References

github.com/...rallly/security/advisories/GHSA-65wg-8xgw-f3fg exploit

github.com/...rallly/security/advisories/GHSA-65wg-8xgw-f3fg

github.com/...ommit/59738c04f9a8ec25f0af5ce20ad0eab6cf134963

github.com/lukevella/rallly/releases/tag/v4.5.6

cve.org (CVE-2025-66027)

nvd.nist.gov (CVE-2025-66027)

Download JSON